ASD’s Top 4 becomes Essential 8

The Australian Signals Directorate (ASD) recently published updated guidance – “Strategies to mitigate cyber security incidents” replacing the older guidance. With this the ASD also expanded its recommended, “Top 4” mitigation techniques” to “Essential 8”, adding 4 key mitigation techniques to the list to help agencies create robust mitigation against targeted cyber intrusions and ransomware.

So what were the Top 4? These were

Application whitelisting

Restrict administrative privileges

Patch operating systems

Patch applications

ASD considers these 4 to be able to mitigate at least 85% of the intrusion when implemented as a package.

Here are the additional 4 that now make up Essential 8

User application hardening

Multi-factor authentication

Disable untrusted Microsoft Office macros

Daily backup of important data

The last two in the list above are new mitigation strategies added to the previous list increasing the total strategies to 37.

Here is our view on the changes

When the Top 4 were made mandatory a few years ago, it was based on information available at that point in time. The cyber threats and attackers have evolved since then; the attacks have become more intelligent, more penetrative and more lethal. We wrote about what to watch out for in 2017 in a recent blog. Likewise, agencies also needed to find more robust techniques against the continuous evolution of attackers. ASD has been doing its own research, crunching data and analysing major incidents globally and has now revised guidance with the creation of “Essential 8”.

Before embarking on the journey to implement these mitigation strategies, it is critical for organisations to perform a thorough risk assessment which will help them identify the priority order of the implementation.

With the previous version of the mitigation guidelines, ASD made a bold statement that its recommended “Top 4” were strong enough to mitigate 85% of “targeted cyber-attacks”. What did that statement do? It immediately got the attention of the IT security teams because it appeared like a “smallish list” to tackle to achieve high level of protection while in comparison the full list of 35 techniques sounded much more intimidating. Similarly, “Essential 8” gets the attention straight away as a more manageable implementation from a slightly longer list of recommended controls (37 from 35 before). ASD also divides the Essential 8 into two groups, presumably to make their benefits easier to understand

To prevent malware running

Application whitelisting

Patch applications

User application hardening

Disable untrusted Microsoft Office macros

To limit the extent of incidents and recover data

Restrict administrative privileges

Patch operating systems

Daily backup of important data

Multi-factor authentication

Mitigation strategies cannot be stagnant – they need to continuously evolve. No IT security professional would have put a wager on ASD’s Top 4 remaining unchanged forever. The list had to expand at some stage. The recent examples, such as Mirai botnet, Stuxnet and Edward Snowden, have further reinforced the need for additional security controls which turns the original question around, from why to why not.

This is where “Essential 8” is well positioned. All agencies that have already implemented or are on track to implanting the Top 4 may find it easier to add four more controls to their mitigation strategy without having to allocate massive budget or resources. It’s worth noting that some agencies may have proactively gone beyond the “Top 4” to implement some, or all, of the “Essential 8. They are now sitting back and smiling at their achievements.

Will ASD raise the mandatory governance baseline as well?

The question remains whether the ASD will raise the bar for government entities so the new minimum mandated baseline is the Essential 8 (currently Top 4) and thus reinforce the importance of embracing the new guide. Without this change, there is a real risk that agencies will be slow to adopt the new guidance. This is a real issue as the level of security is ultimately dictated by the “weakest link”

Okay, so what next?

With the “Essential 8” becoming the new baseline, we have put together a white paper eGuide to help you navigate these Essential 8. With some recommended strategies that you may want to consider.

Finally: if you do need help navigating though the Essential 8 or any others out of ASD’s complete list of 37 strategies to mitigate cyber security incidents then speak to us, we are here to help.

About Macquarie Government: Macquarie Government is a division of the Macquarie Telecom Group (ASX MAQ). It provides services to Federal and State Government agencies, including Secure Internet and Secure Cloud services.

About the author.

With over 20 years of Information Technology experience, Richard has spent a good part of his life building and securing systems and infrastructure.
Passionate about virtualization and cloud computing, Richard’s current focus includes building strategies that incorporate and improve IT security specifically to meet the Australian government needs.